ECPA

David Kris Points to the Clause Loopholed Under David Barron on Metadata Collection

I’m working on a longer post on David Kris’ paper on the phone [and Internet] dragnets.

But for the moment, I want to note that he strongly implies the US is relying on 18 U.S.C. § 2511(2)(f) to collect international metadata. He does it when he first introduces the phone dragnet secondary order (page 2).

The order excluded production of metadata concerning “communications wholly originating and terminating in foreign countries.”5 215 Bulk Secondary Order at 2; see Business Records FISA NSA Review at 15 (June 25, 2009) [hereinafter NSA End-to-End Review], available at http://www.dni.gov/files/documents/section/pub_NSA%20Business%20Records%20
FISA%20Review%2020130909.pdf; August 2013 FISC Order at 10 n.10; cf. 18 U.S.C. §2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). [my emphasis]

And he does it just after suggesting that the FISA Court may have approved the phone dragnet in 2006 — however shabby the legal case — just to have it under FISC supervision (note, he also nods to the Internet metadata dragnet, but as I’ll note he goes through some contortions to avoid addressing it all that directly).

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.147

147 With respect to metadata concerning foreign-to-foreign communications, which the FISC’s order expressly does not address, see 18 U.S.C. § 2511(2)(f)

This is important because it is precisely the clause (the one Kris cites above) that the Office of Legal Counsel reinterpreted in 2010 to cover past illegal access to phone metadata, including US based phone metadata.

The existence of that memo was first disclosed by Glenn Fine in his Exigent Letter IG Report. (See also this post.) He described how, in the context of its effort to clean up the legal process free access of phone data from the telecoms, DOJ had ordered up this opinion (though they claimed they were not relying on it). In 2011, DOJ provided enough information in response to a FOIA to make it clear the memo pertained to this passage.

Now, in context, Kris is just implying that the government is using this clause to get the telecoms to voluntarily turn over foreign to foreign communications.

Except we know precisely how the NSA defines “foreign communications.”

Foreign communication means a communication that has at least one communicant outside of the United States. All other communications, including communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition, are domestic communications.

That is, so long as just one end of a communication is foreign, the NSA considers it a foreign communication (and therefore the telecoms can voluntarily disclose it under their interpretation of this clause of ECPA).

And remember: this opinion reinterpreting ECPA was written under the direction of — if not written by — David Barron, the guy Obama wants to have a lifetime appointment on the First Circuit.

I need to think through whether this means what I think it means. But it sure seems like Kris is not only saying that the government did use this loophole to collect metadata involving foreigners (and Americans). But given that DOJ claimed it could use this memo to clean up its entirely domestic communications problems (per the Fine IG Report), it sure seems like Kris is saying if we close the Section 215 collection, the government will just resume using ECPA.

Update: I just realized this post, which adopts an argument I made almost two weeks ago (that there is no original opinion for the phone dragnet) was written by Marty Lederman (who was at OLC during roughly the same period that Barron was).

Which is why I find it weird that Lederman makes an extended argument noting that an earlier clause in ECPA tweaked during the original PATRIOT Act bill prohibits this sharing of phone metadata.

You wouldn’t know it from Judge Eagan’s opinion–or from David Kris’s paper, for that matter–but Congress has actually considered the specific question about whether and under what circumstance service providers may disclose to the government the telephony metadata of their customers, and has enacted a statute dealing specifically with that question–a statute that expressly prohibits such disclosure.  Moreover, the prohibition in question was enacted as part of the very same law that includes Section 215, namely, the PATRIOT Act of 2001.

A provision of the Electronic Communications Protection Act (ECPA), 18 U.S.C. 2702(a)(3), states that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.”

Statutory language doesn’t often get much clearer than that:  A provider of remote computing service or electronic communication service to the public — a category that includes phone service providers — cannot knowingly convey consumer records or information to any governmental entity.

Remarkably, Congress added this prohibition to ECPA in section 212(a)(1)(B)(iii) of the 2001 PATRIOT Act itself–the same law in which section 215 expanded the “business records” provision upon which the government relies here.  The two provisions are only three pages apart in the Statutes at Large.  In other words, the government is relying here upon a broad, general “business records” provision included in the PATRIOT Act; but in that very same legislation, Congress included another provision specifically involving the business records of telephone customers, and in that more specific provision it precluded the very sort of records transfer at issue here.

The thing is, I find it almost impossible to believe that Lederman wouldn’t know about (or even didn’t review) that January 8, 2010 opinion. And he certainly must know what the implications of invoking foreign communications in the context of 18 U.S.C. § 2511(2)(f) to be.

I’m confused.

Update: I missed one other mention of 2511(2)(f), which comes in Kris’ incomplete description of all the violations in the phone dragnet program (it is incomplete, in part, because he cites from the June report of the problems rather than the August filing presenting them, which includes several more, probably more troubling violations; but he also misses details of a few of the other violations which is particularly interesting because he, of all people, must know this stuff).

(8) acquisition of metadata for foreign-to-foreign telephone calls from a provider that believed such metadata to be within the scope of the FISC’s orders, when it was not, NSA End-to-End Review at 15; cf. August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); see generally 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”);

His inclusion of it here is interesting because this violation is likely the collection that Reggie Walton shut down temporarily on July 9, 2009. Does that mean they just kept collecting from this provider (I wonder, by the way, whether it’s something exotic like Skype), and deemed it covered by 18 U.S.C. § 2511(2)(f)? If so, Kris would have been among those who made the decision to do so.

The Two OLC Still-Secret Memos Behind the Cross-Border Keyword Searches?

Last week, Charlie Savage explained what this paragraph from the NSA’s targeting document means.

In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, SNA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.

Savage explained that it refers to the way the US snoops through almost all cross-border traffic for certain keywords.

To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

[snip]

The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”

The official said the keyword and other terms were “very precise” to minimize the number of innocent American communications that were flagged by the program. At the same time, the official acknowledged that there had been times when changes by telecommunications providers or in the technology had led to inadvertent overcollection. The N.S.A. monitors for these problems, fixes them and reports such incidents to its overseers in the government, the official said.

In his post on Savage’s story (which I think misreads what Savage describes), Ben Wittes focused closely on the last paragraphs of the story.

But that leaves a big oddity with respect to the story. The end of Savage’s story reads as follows:

There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.

That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”

The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here’s the thing: If my read is right and the rule Savage cites permits only acquisition of communications “about” potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I’m suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

Remember, we do know of one OLC memo — dated January 8, 2010 — that pertains to the government obtaining international communications willingly from service providers. We learned about it in the context of the Exigent Letters IG Report, which first led observers to believe it pertained to phone records.

But we’ve subsequently learned this is the passage of ECPA the OLC interpreted creatively in secret.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Savage’s reference to the Bradbury opinion suggests all this happens at the packet stage, which may be one (arguably indefensible) way around the electronic communications dodge.

The FBI had not relied on the opinion as of 2010, when we first learned about it. But we also know that since then, the government stopped collecting Internet metadata using a Pen Regsiter/Trap and Trace order.

We know that Feingold and Wyden, with Dick Durbin, asked for a copy of the opinion themselves shortly after the IG Report revealed it. It’s possible that the former two asked for it to be declassified.

This is, frankly, all a wildarsed guess. But Wyden certainly thinks there are two problematic OLC memos out there pertaining to cybersecurity. And Savage seems to think this process parallels the means the government is using for cybersecurity. So it may be these are the opinions.

The Most Transparent Administration Ever Hides More OLC Opinions

Ryan Reilly has liberated a list — such as DOJ would release — of the OLC opinions written under Obama. As he notes, DOJ has refused to even give him a list, much the number, of the classified OLC memos.

What’s more interesting is what wasn’t included: The office stated that it was withholding, in full, 11 lists of classified OLC opinions. Because the length of each list is unknown, it’s unclear how many classified opinions the OLC has issued during the Obama administration.

And it has redacted a ton of the names of unclassified opinions, citing deliberative privilege.

The titles of many OLC opinions were fully redacted in the lists provided, with a Justice Department official writing that the titles were “protected by the deliberative process, attorney-client, and/or attorney work-product privileges.” The names of the lawyers who wrote a number of opinions — including the memo on the president’s use of recess appointments during the Senate’s pro forma sessions — were also blacked out because their disclosure would “constitute a clearly unwarranted invasion of personal privacy,” the official wrote.

Some of the memos mentioned in the list have already been disclosed online by the OLC.

He also notes one memo the existence of which has already been revealed doesn’t appear on the list.

The Justice Department even redacted the title of the opinion on whether the president could unilaterally ignore the debt ceiling limit, though the existence of that memo was disclosed in response to a FOIA request from Talking Points Memo in 2011.

There’s in fact at least one other known OLC opinion that doesn’t show up on the list: a January 8, 2010 memo on whether the Electronics Communication Privacy Act would prevent telecoms from willingly turning over international communications to the government. It was first revealed in a January 2010 DOJ IG Report on Exigent Letters (see this post for background).

On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.

In February 2011, McClatchy’s Marisa Taylor received a FOIA denial for the memo, although in denying her request DOJ revealed that this was the section of the law the memo discussed.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Effectively, DOJ has already made clear that the memo says it can get international communications with no legal process.

But it didn’t release the name of the memo to Reilly.

There are two explanations for that. It has redacted the names of many OLC opinions under deliberative process, which it often argues means that it did not rely on the memo and therefore it did not influence the Executive’s final decision. That’s probably what happened with the debt ceiling memo; we know Obama hasn’t unilaterally raised the debt ceiling, meaning he hasn’t relied on the memo, so even though it has confirmed the memo exists, DOJ is hiding the memo because the Administration didn’t ultimately rely on it.

It may have redacted the title of the ECPA decision for the same reason. In the IG Report, at least, FBI claimed it would not rely on the opinion (no doubt meaning it would get all our communications via some other means).

Alternately, it could be considering this memo, which has been discussed at length, classified. Stranger things have happened with this Administration.

Update: Just checked, and via email at the time, Taylor said this is what DOJ told her:

The cover letter dated Feb. 8, 2011 to McClatchy said the OLC memo was protected by the “deliberative process privilege” under Exception Five. The letter also said the memo is “classified” and therefore “exempt pursuant to Exemption One, 5 USC 552 (b)(1).” The letter goes on to describe the memo as “a January 8, 2010 OLC memorandum analyzing the authority of the FBI under Section 2511 (2)(F) of the Stored Communications Act, 18 USC 2511 (2)(f).”

So they’re at least claiming a b5, and possibly claiming that its very name remains classified, in spite of repeated references to it in unclassified form.

In any case, the refusal to release even the name of memos that we know exist sure boosts the Administration’s claim to be the most transparent ever!

ECPA Amendments and Privacy in a Post Petraeus World

One of the issues making the rounds like wildfire today was a report from Declan McCullagh at CNET regarding certain proposed amendments to the Electronic Communications Privacy Act (ECPA). The article is entitled “Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants” and relates:

A Senate proposal touted as protecting Americans’ e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.

CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans’ e-mail, is scheduled for next week.

Leahy’s rewritten bill would allow more than 22 agencies — including the Securities and Exchange Commission and the Federal Communications Commission — to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

This sounds like the predictably craven treachery that regularly comes out of Senate, indeed Congressional, legislation on privacy issues. And exactly what many had hoped would cease coming out of Washington after the public scrutiny brought on by the Petraeus/Broadwell/Kelley scandal. And, should these amendments make it into law, they may yet prove detrimental.

But there are a couple of problems here. First, as Julian Sanchez noted, those abilities by the government already substantially exist.

Lots of people RTing CNET’s story today seem outraged Congress might allow access to e-mail w/o warrant—but that’s the law ALREADY!

Well, yes. Secondly, and even more problematic, is Pat Leahy vehemently denies the CNET report. In fact, Senator Leahy does not support broad exemptions for warrantless searches for email content. A source within the Judiciary Committee described the situation as follows: Continue reading

FBI Still Inventing New Ways to Surveil People with No Oversight

Marisa Taylor has an important update on the OLC exigent letter opinion. Last year, DOJ’s now-retired Inspector General Glenn Fine released a report revealing how the FBI had used exigent letters to get call data information from telecoms with no oversight. Ryan Singel noted a reference to an OLC opinion that basically melted away the problems created by use of these exigent letters (see pages 264-266 of the report).

On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.

Taylor FOIAed the opinion.

And while DOJ refused to release the opinion, they did apparently reveal enough in their letter explaining their refusal to make it clear that the FBI maintains that it does not need any kind of court review to get telephone records of calls made from the US to other countries.

The Obama administration’s Justice Department has asserted that the FBI can obtain telephone records of international calls made from the U.S. without any formal legal process or court oversight, according to a document obtained by McClatchy.

[snip]

The Obama administration’s Justice Department has asserted that the FBI can obtain telephone records of international calls made from the U.S. without any formal legal process or court oversight, according to a document obtained by McClatchy.

EFF’s Kevin Bankston provides some context.

“This is the answer to a mystery that has puzzled us for more than a year now,” said Kevin Bankston, a senior staff attorney and expert on electronic surveillance and national security laws for the nonprofit Electronic Frontier Foundation.

“Now, 30 years later, the FBI has looked at this provision again and decided that it is an enormous loophole that allows them to ask for, and the phone companies to hand over, records related to international or foreign communications,” he said. “Apparently, they’ve decided that this provision means that your international communications are a privacy-free zone and that they can get records of those communications without any legal process.”

Now, I’m trying to get some clarification as to precisely what language DOJ used (see update below). But the revelation is interesting for two reasons.

As I argued last year, the opinion probably serves to clean up a lot of the illegal stuff done under the Bush Administration. I think it likely that this includes Cheney’s illegal wiretap program. If I’m right, then this claim would be particularly interesting not least because of all the discussions about US to international calls during the debate around FISA Amendments Act.

Then of course there’s the even bigger worry. When Fine released his report, the FBI assured him that it wouldn’t actually use this opinion. “No, Dad, I have no intention of taking the Porsche out for a spin, so don’t worry about leaving the keys here.”

But the fact that DOJ seems to be doubling down on this claim sort of suggests they are relying on the opinion.

Also, I can’t help but note about the timing of this FOIA response: Conveniently for DOJ, they didn’t respond to McClatchy until after Russ Feingold and Glenn Fine, the two people most likely to throw a fit about this, were out of the way.

Update: Via email, Kevin Bankston told me this is the clause the government is using to find its loophole: 18 USC 2511(2)(f).

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Emptywheel Twitterverse
bmaz @MarkSZaidEsq @emptywheel @KanysLupin @BradMossEsq @Thomas_Drake1 Legality, ability of cts to rule, extent of disclosure, nature of collectn
3mreplyretweetfavorite
emptywheel @MarkSZaidEsq the first is clearly false. the second may have no means to be tested. @KanysLupin @bmaz @BradMossEsq @Thomas_Drake1
5mreplyretweetfavorite
emptywheel @MarkSZaidEsq That judges get all info they ask, that overseas USP collection legal @KanysLupin @bmaz @BradMossEsq @Thomas_Drake1
5mreplyretweetfavorite
emptywheel @MarkSZaidEsq But as I've pointed out some false assumptions on your part, 2-way street. @KanysLupin @bmaz @BradMossEsq @Thomas_Drake1
12mreplyretweetfavorite
bmaz @BradMossEsq @emptywheel @MarkSZaidEsq @Thomas_Drake1 Again with the completely bogus+impertinent "legal/illegal" dichotomy.
12mreplyretweetfavorite
emptywheel @BradMossEsq Actually, no. BC govt officials recently actively misled oversight body on it. @MarkSZaidEsq @Thomas_Drake1 @bmaz
27mreplyretweetfavorite
emptywheel @BradMossEsq 1. And told Tsarnaev he couldn't have it, tho govt has said they used it w/him. @MarkSZaidEsq @Thomas_Drake1 @bmaz
29mreplyretweetfavorite
emptywheel @MarkSZaidEsq Sure. But now it is designed to ALSO avoid the non-hypotheticals. @BradMossEsq @Thomas_Drake1 @bmaz
31mreplyretweetfavorite
bmaz @MarkSZaidEsq @emptywheel @BradMossEsq @Thomas_Drake1 They are only "hypothetical" because of govts malicious concealment from Cong+citizens
34mreplyretweetfavorite
bmaz @emptywheel @MarkSZaidEsq @BradMossEsq @Thomas_Drake1 Evidence can be collected "legally" and still used improperly, and we know it has.
35mreplyretweetfavorite
bmaz @emptywheel @MarkSZaidEsq @BradMossEsq @Thomas_Drake1 Not to mention that "illegality" is a false+impertinent std. to Constitutional issue.
36mreplyretweetfavorite
emptywheel @MarkSZaidEsq Just pointing out neither FISC nor defense courts may expose any hypothetical illegality @BradMossEsq @Thomas_Drake1 @bmaz
39mreplyretweetfavorite
April 2014
S M T W T F S
« Mar    
 12345
6789101112
13141516171819
20212223242526
27282930